17 May 2019

Week in review

AUSCERT Week in Review for 17th May 2019

AUSCERT Week in Review
17 May 2019

Greetings,

Hoo boy, what a week!

– This patch Tuesday, Microsoft gave us CVE-2019-0708, a remote code execution vulnerability in remote desktop services. An exploit could potentially propagate like a worm, so this was severe enough for Microsoft to release free updates to Windows XP and Server 2003.

– Not to be outdone, Cisco released a flock of advisories this week, including a vulnerability which allows a persistent backdoor without physical access to the device.

– WhatsApp has provided an update due to a vulnerability that allows spyware to be injected onto your phone.

– And the pièce de résistance, Intel have announced four new microprocessor flaws which could allow unauthorised access to cached data.

Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week:

Title: Prevent a worm by updating Remote Desktop Services
Date published: 14/05/2019
URL: https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/
Author: MSRC Team
Excerpt: “Today Microsoft released fixes for a critical Remote Code Execution vulnerability, CVE-2019-0708, in Remote Desktop Services – formerly known as Terminal Services – that affects some older versions of Windows. The Remote Desktop Protocol (RDP) itself is not vulnerable. This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017. While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware.”

Title: MDS – Microarchitectural Data Sampling – CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
Date published: 14/05/2019
URL: https://access.redhat.com/security/vulnerabilities/mds
Author: Red Hat
Excerpt: “Four new microprocessor flaws have been discovered, the most severe of which is rated by Red Hat Product Security as having an Important impact. These flaws, if exploited by an attacker with local shell access to a system, could allow data in the CPU’s cache to be exposed to unauthorized processes. While difficult to execute, a skilled attacker could use these flaws to read memory from a virtual or containerized instance, or the underlying host system. Red Hat has mitigations prepared for affected systems and has detailed steps customers should take as they evaluate their exposure risk and formulate their response.”

Title: Thrangrycat flaw lets attackers plant persistent backdoors on Cisco gear
Date published: 13/05/2019
URL: https://www.zdnet.com/article/thrangrycat-flaw-lets-attackers-plant-persistent-backdoors-on-cisco-gear/
Author: Catalin Cimpanu
Excerpt: “A vulnerability disclosed today allows hackers to plant persistent backdoors on Cisco gear, even over the Internet, with no physical access to vulnerable devices.

Named Thrangrycat, the vulnerability impacts the Trust Anchor module (TAm), a proprietary hardware security chip part of Cisco gear since 2013.”

Title: WhatsApp urges users to update app after discovering spyware vulnerability
Date published: 14/05/2019
URL: https://www.theguardian.com/technology/2019/may/13/whatsapp-urges-users-to-upgrade-after-discovering-spyware-vulnerability
Author: Julia Carrie Wong
Excerpt: “WhatsApp is encouraging users to update to the latest version of the app after discovering a vulnerability that allowed spyware to be injected into a user’s phone through the app’s phone call function.

The spyware was developed by the Israeli cyber intelligence company NSO Group, according to the Financial Times, which first reported the vulnerability.”

Title: Linux Kernel Prior to 5.0.8 Vulnerable to Remote Code Execution
Date published: 13/05/2019
URL: https://www.bleepingcomputer.com/news/security/linux-kernel-prior-to-508-vulnerable-to-remote-code-execution/
Author: Sergiu Gatlan
Excerpt: “Linux machines running distributions powered by kernels prior to 5.0.8 are affected by a race condition vulnerability leading to a use after free, related to net namespace cleanup, exposing vulnerable systems to remote attacks”

Here are this week’s noteworthy security bulletins:

1) ASB-2019.0137 – ALERT [Win] Microsoft Windows: Multiple vulnerabilities
https://portal.auscert.org.au/bulletins/ASB-2019.0137

Microsoft has released its monthly security patch update for the month of May 2019.

2) ASB-2019.0138 – ALERT [Win][UNIX/Linux][Appliance][Virtual] Intel CPU Microcode: Access privileged data – Existing account
https://portal.auscert.org.au/bulletins/ASB-2019.0138

Intel has published a security advisory disclosing RIDL and Fallout, new speculative-execution side-channel vulnerabilities in the vein of Spectre and Meltdown.

3) ESB-2019.1721 – [Win][Mac] Adobe Acrobat and Reader : Multiple vulnerabilities
https://portal.auscert.org.au/bulletins/ESB-2019.1721

Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address critical and important vulnerabilities.

4) ESB-2019.1749 – [Win] Cisco Webex Players for Microsoft Windows: Execute arbitrary code/commands – Remote with user interaction
https://portal.auscert.org.au/bulletins/ESB-2019.1749

Multiple vulnerabilities in the Cisco Webex Network Recording Player for Microsoft Windows and the Cisco Webex Player for Microsoft Windows could allow an attacker to execute arbitrary code on an affected system.

Stay safe, stay patched and have a good weekend!

Charelle.